The attack started on Telegram to identify the targets, then they deployed a weaponized Excel document which finally delivered the final backdoor through multiple mechanisms. ☠☠️ #infosec #malware #backdoor

🧐To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram.

👀They created fake profiles using details from employees of the company OKX. #infosec #Cryptocurency

🤝After gaining the trust of the target, the threat actor sent a weaponized Excel document to the target containing further details on the fees to appear legitimate.

💀The macro is obfuscated and abuses UserForm to store data and variables. #infosec #threatintel #malware

☠️The macro then dropped another Excel sheet and executed it in invisible mode. This sheet was encoded in base64 and dropped into C:\ProgramData\Microsoft Media\ as VSDB688.tmp. #malware

👾The VSDB688.tmp file then downloaded a PNG file from OpenDrive containing three executables: a legitimate Windows file, a malicious DLL, and a XOR encoded backdoor. #malware

💀The legitimate file was used to sideload the malicious DLL, which acted as a proxy to the legitimate DLL and loaded the XOR encoded backdoor. #backdoor

The malicious wsock32.dll is loaded by logagent.exe through DLL side-loading and uses DLL proxying to call the legitimate functions from the real wsock32.dll. The screenshot shows the redirection of the function in the malicious dll. #malware #infosec

☠️The malicious wsock32.dll loads and decodes the final implant into the memory with the GUID name which is used to remote access the infected machine. #malware

🧐We identified several related attacks that deployed the same payload in trojanised applications. #cryptocurrency #malware #threatintel